Friday, April 22, 2016

A great pattern that we are seeing for implementing two-factor authentication is to use the TOTP (Time-based One-time Password Algorithm) standard for the second authentication step. What is so cool about TOTP is that it is flexible enough to allow your users to generate their authentication tokens directly on their smart phones using a TOTP app like Google Authenticator or have their tokens sent to their mobile phone via SMS.

In case of IPv4 most client addresses are masked behind NAT, on your server side you ONLY see the globally routable address which is the router's own global address.

In case of IPv6 the local address for all intents and purposes will be the same as the global one, so you'll find that in $_SERVER['REMOTE_ADDR'].

That being said, I'd also like to caution you against using the X-Forwarded-For header for ANYTHING unless it comes from a trusted source (e.g. your own reverse proxy). The client can set this header to an arbitrary value and can cause some funny or even dangerous bugs to be triggered.

On a practical note I'd like to add that using the IP address to limit how many times one can vote is a somewhat broken practice since I rent at the moment a block of 16 IP addresses and I know people who can get their hands on a full C-sized block (255 addresses) and you'll be blocking lots of people behind provider NAT's and such. In case of IPv6 everyone will have billions of addresses anyway, so the whole concept of IP blocking will be a lot more broken.

I recommend you tie the voting to something a bit more stable like phone number or e-mail registration if possible.

Monday, April 18, 2016

.h264 is just a raw H.264 bytestream. That's just video content, which can be played back by sophisticated players, but usually you want to put everything into a container format, such as MPEG-4 Part 14 ("MP4").

Thursday, April 7, 2016

A forward proxy proxies in behalf of clients. The following setup will allow you to sit in office and SSH connect to a remote server. The remote server will act as the proxy server to forward all your requests to the destination server.

Use SSH tunnel as a secure forward proxy:

# ssh -D 8080 USER@HOST_NAME.COM

or

# ssh -N -f -D 8080 USER@HOST_NAME.COM

You will need to configure a SOCKS proxy server in Google Chrome by adding these two flags when launch Chrome:

Use this method if you want to use HTTPS (HTTP over TLS) to secure your Apache HTTP or Nginx web server, and you want to use a Certificate Authority (CA) to issue the SSL certificate. The CSR that is generated can be sent to a CA to request the issuance of a CA-signed SSL certificate. If your CA supports SHA-2, add the -sha256 option to sign the CSR with SHA-2.

Note: The -newkey rsa:2048 option specifies that the key should be 2048-bit, generated using the RSA algorithm.Note: The -nodes option specifies that the private key should not be encrypted with a pass phrase.Note: The -new option, which is not included here but implied, indicates that a CSR is being generated.

Generate a Self-Signed Certificate:

Use this method if you want to use HTTPS (HTTP over TLS) to secure your Apache HTTP or Nginx web server, and you do not require that your certificate is signed by a CA.

This command creates a 2048-bit private key (domain.key) and a self-signed certificate (domain.crt) from scratch: